Summary:
I'm trying to inject various things in the dedicated server properties to ensure security in my server tracker crawler/web pages. (https://7daystodie.online)
Game Version: Alpha.20.7.1
Platform: Steam
OS/Version: Linux
CPU Model: Ryzen 5 2600
Game mode: Dedicated server
Did you wipe old saves? Yes
Did you start a new game? Yes
Did you validate your files? Yes
Are you using any mods? No
EAC on or off? ON
Status: NEW
Bug Description:
While trying XSS injections, the dedi refused to boot with normal HTML tags inside the ServerDescription property.
<property name="ServerDescription" value="<a href='/testxss.html' onload=alert('xss test')>xss test</a>" /> 2023-04-26T11:22:41 0.159 EXC '<', hexadecimal value 0x3C, is an invalid attribute character. Line 8, position 47.
So this looks normal behavior.
And I tried to convert in HTML Entities :
<property name="ServerDescription" value="<a href="/testxss.html" onload="alert('xss test')">xss test</a>" />
And this one worked, but the HTML Entities are computed to valid HTML tags by the dedicated server :
Screenshot of telnet query uploaded with the post.
You can also see the result in the tracker that have xss protections but it show a valid HTML tag :
https://7daystodie.online/servers/17147-europe-france-7daystodie-online-server-tracker-community
Detailed steps to reproduce the bug:
1) Just use the ServerDescription property above with HTML Entities
Expected result:
I didn't digged in the dedi Assembly.dll yet, I have no visual studio setup at this time, and can't see if it's a normal behavior or not.
I know there is some markup to colorize text, and this is our web dev responsibility to ensure injections will not happen, but the game should not compute such things like HTML Entities.
This may be the door to other injections with c# or in-game things that I have not discovered/tried yet.
Thank you in advance! 🍻
Recommended Comments
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now